Although it's been a few weeks since the RSA show, I wanted to pass on something that struck me as I walked around the show floor, checking out all the booths. Last year, the hot buzzword of the show seemed to be "compliance". Everyone was jumping on that bandwagon in their marketing, because customers seemed to view their compliance challenges as the biggest problem that they faced. And, when large enterprises express a major problem that they face, you can bet that very soon most software companies will begin to use that messaging in their marketing activities. But, this year, a strong compliance emphasis was not in evidence at the RSA show. Sure, there were a few pure compliance vendors there, but the amount of general compliance marketing was, in my view, less than in previous years.
What does this mean? Do customers not care about compliance any more? Have they given up on adopting technology to help them solve this problem? Or, have they already solved it?
The answer, I believe, is "no" to all of these questions. I actually think that the lack of overwhelming compliance messaging is good news. It means that large enterprises have recognized the importance of automating their compliance activities....for example, using identity and access management solutions.....and have embarked on that journey already. They have experienced the pain of attempting compliance with each regulation as it comes along, with the high costs and redundant effort that this approach entails. They have seen how onerous compliance audits can be when their security controls are not automated or easily auditable. So, they have begun to deploy solutions (particularly IAM) to help them along in this process. They have adopted industry frameworks (such as CobiT) as best practices, and are using these frameworks to help them "rationalize" controls across a range of regulations, thereby minimizing the redundant effort that their compliance "silos" caused them in the past. In summary, they have embarked on the "IAM compliance journey", and therefore are not highly swayed by a purely compliance pitch that was used in the past by almost all types of software security products.
But, they also recognize that their journey is just that....an ongoing process of automating and improving their security controls to further ease their compliance burden. They will likely continue to automate their controls and testing processes, making ongoing audits much less challenging, as well as ensuring that new regulations can be accommodated much more easily than in the past.
The following graphic illustrates some of the common characteristics of the phases of compliance automation and optimization. As always, your mileage may vary...... But, a useful exercise is to ask yourself where you are on this continuum of maturity level, and what improvements (in technology, improved processes, etc) you need in order to be able to move to the next phase. If you're down near the bottom left of the graph, don't despair. I think many companies are trying to get through the "Reduce Costs" phase without too much pain. Very few are actually in the Optimize phase.
Print
Email
Rate+-+CA&dcsref=-&WT.cg_nid=120298&WT.cai_l1=120399&WT.cai_l2=120298&WT.cai_l3=&WT.cai_cntry=us){kind=small}